Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Summary:The botnet masters behind the Asprox botnet have recently started SQL injecting fast-fluxed malicious domains in order to enjoy a decent tactical advantage in an attempt to increase the survivability of the malicious campaign. I first assessed the Asprox botnet in January, and again in April when it started scaling and diversifying its campaigns from fake Windows updates, to fake Yahoo ecards, as well as executable news items.

The botnet masters behind the Asprox botnet have recently started SQL injecting fast-fluxed malicious domains in order to enjoy a decent tactical advantage in an attempt to increase the survivability of the malicious campaign. I first assessed the Asprox botnet in January, and again in April when it started scaling and diversifying its campaigns from fake Windows updates, to fake Yahoo ecards, as well as executable news items. A botnet crunching out phishing emails and spam as usual? Depends on the momentum. Automating the process of SQL injecting a large number of sites is one thing, SQL injecting fast-fluxed domains is entirely another. Secureworks comments on the introduction of the SQL injection tool within the botnet :

"As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is a SQL-injection attack tool. When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84.com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool."

Now comes the fast-flux. The latest massive SQL injection attack courtesy of the Asprox botnet, is this time using the banner82 .com domain which continues to be in a fast-flux mode, namely, it's simultaneously hosted at ten different malware infected IPs, with the IPs constantly changing. Let's illustrate this by taking a look at the changing IPs responding to the same domain within a period of 24 hours :

What is the objective of the latest SQL injection attack launched by the Asprox botnet? It's infecting new hosts to be added to the botnet. Banner82 .com has a tiny iFrame that's attempting to load dll64 .com /cgi-bin/index.cgi?admin where the NeoSploit malware exploitation kit is serving MDAC ActiveX code execution (CVE-2006-0003) exploit.

Here are sample fast-fluxing DNS servers used by banner82 .com, as well as a sample internal fast-flux structure used by the botnet:

The screenshots speak for themselves, and for the infrastructure they've managed to build using the malware infected hosts to send scams, host the scam domains, infect new hosts, scan for vulnerable sites, SQL inject them and host the live exploit URls within. And with the introduction of fast-flux whose infrastructure is provided by the botnet's infected population, and automating the SQL injection process, the Asprox botnet is slowly turning into a self-sustaining cybercrime platform.

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community...
Full Bio